7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.346 Low
EPSS
Percentile
97.1%
The remote host is running eDirectory, a popular directory service software from Novell.
A vulnerability in the eMBox utility included with the software allows an unauthenticated attacker to access local files or cause a denial of service condition.
Nessus was able to query the list of available eDirectory services on the remote host without using any credentials, see plugin output for more details.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(31851);
script_version("1.22");
script_cvs_date("Date: 2018/11/15 20:50:23");
script_cve_id("CVE-2008-0926");
script_bugtraq_id(28441);
script_xref(name:"Secunia", value:"29527");
script_name(english:"Novell eDirectory eMBox Utility Unauthorized Access (uncredentialed check)");
script_summary(english:"Checks if eDirectory services can be queried remotely.");
script_set_attribute(
attribute:"synopsis",
value:
"The remote host has an application installed that allows unauthorized
access to the system."
);
script_set_attribute(
attribute:"description",
value:
"The remote host is running eDirectory, a popular directory service
software from Novell.
A vulnerability in the eMBox utility included with the software
allows an unauthenticated attacker to access local files or cause a
denial of service condition.
Nessus was able to query the list of available eDirectory
services on the remote host without using any credentials, see
plugin output for more details."
);
script_set_attribute(
attribute:"see_also",
value:"https://seclists.org/bugtraq/2008/May/54"
);
script_set_attribute(
attribute:"see_also",
value:"https://support.microfocus.com/kb/doc.php?id=3477912"
);
script_set_attribute(
attribute:"solution",
value:
"Upgrade to eDirectory 8.8.2 or rename 'embox.nlm' and configure
it to start manually."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(287);
script_set_attribute(attribute:"plugin_publication_date", value: "2008/04/11");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:novell:edirectory");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_ports(8008,8028);
exit(0);
}
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:8008, embedded:TRUE); # Cleartext http port on eDirectory 8.8
if (!get_port_state(port)) exit(0);
# POST requests take longer, so check if we are looking
# at a banner from novell product.
banner = get_http_banner(port: port);
if (!banner || (!egrep(pattern:"DHost/[0-9].[0-9] *HttpStk/[0-9].[0-9]",string:banner) && "NetWare HTTP Stack" >!< banner)) exit(0);
init_cookiejar();
# Request server info and get the Cookie.
postdata =strcat(
'<?xml version="1.0"?>','\n',
'<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">\n',
'<SOAP-ENV:Header/><SOAP-ENV:Body><dispatch><Action>novell.embox.connmgr.serverinfo</Action>',
'<Object/><Parameters/></dispatch></SOAP-ENV:Body></SOAP-ENV:Envelope>\n'
);
# There was "HTTP/1.0" in the old request. I did not force the version
r = http_send_recv3(method: 'POST', item: '/SOAP', data: postdata, port: port,
add_headers: make_array( 'Content-Type', 'text/xml',
'Accept-Language', 'en-US;q=0.2, en;q=0.1',
'Accept-Charset', 'Cp1252',
'SOAPAction', '"/novell.embox.connmgr.serverinfo"') );
if (isnull(r)) exit(0);
res = r[0]+r[1]+'\r\n'+r[2];
# If we see serverinfo we can continue.
if ("novell.embox.connmgr.serverinfo" >< res)
{
if (! egrep(string: r[1], pattern: "^Set-Cookie2?:", icase: 1)) exit(0);
# Ok for all our efforts we got a Cookie.
# Now ask for list of services.
postdata2 = string(
'<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">',
'<SOAP-ENV:Header/><SOAP-ENV:Body><dispatch><Action>novell.embox.service.getServiceList</Action>',
'<Object/><Parameters><params xmlns:EMR="emtoolsmgr.dtd">',
'<EMR:NamesOnly>0</EMR:NamesOnly></params></Parameters>',
'</dispatch></SOAP-ENV:Body></SOAP-ENV:Envelope>'
);
# Same: HTTP/1.0 was forced (but there was a Host field)
r = http_send_recv3(method: 'POST', item: '/SOAP', data: postdata2, port: port,
add_headers: make_array( 'Content-Type', 'text/xml',
'Accept-Language', 'en-US;q=0.2, en;q=0.1',
'Accept-Charset', 'Cp1252',
'SOAPAction', '"/novell.embox.service.getServiceList"') );
if (isnull(r)) exit(0); # If the embox service is not running, we should exit here.
res2 = r[0]+r[1]+'\r\n'+r[2];
# Exit if we see an error
if ("</EBX:XError>" >< res2) exit(0); # eDirectory 8.8 sp2
# There is a problem if we see a list of services, with embox.dlm
# one of them.
found = 0;
service = NULL;
if ("eDirectory Management Tool Box Engine" >< res2)
{
line = NULL;
res3 = NULL;
res3 = split(res2, sep: ">");
if (isnull(res3)) exit(0);
foreach line (res3)
{
if (ereg(pattern:".*\.[dn]lm</name>$", string:line))
{
found++;
service = ereg_replace(pattern:"^(.+\.[dn]lm)</name>$",string:line ,replace:"\1");
report += string("+ ",service, "\n");
}
}
if (found)
{
report = string (
"\nThe following ",found, " services are available on the remote eDirectory install : \n\n",
report, "\n");
security_hole(port:port,extra:report);
}
}
}
Vendor | Product | Version | CPE |
---|---|---|---|
novell | edirectory | cpe:/a:novell:edirectory |